Bug 219624

Summary: ubifs: dumping tnc tree after clearing slab cache cause panic
Product: File System Reporter: Liyuan Pang (pangliyuan1)
Component: OtherAssignee: fs_other
Status: NEW ---    
Severity: normal    
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:

Description Liyuan Pang 2024-12-23 03:30:01 UTC 
Description:  
/sys/kernel/debug/ubifs/ubix_y/dump_tnc is a debug interface to dump ubifs tnc tree in memory which start with c->zroot.znode. But znode is reclaimable so clearing slab cache will free all znode in memory and make c->zroot.zonode = NULL. So if we dump tnc tree after clearing slab cache,  accessing c->zroot.znode will cause kernel NULL pointer dereference panic.

Reproducer:
CONFIG_MTD_NAND_NANDSIM=m
CONFIG_DEBUG_FS=y
CONFIG_MTD_UBI=y
CONFIG_UBIFS_FS=y

1.insmod nandsim.ko    # this create /dev/mtd1
2.mount -t debugfs debugfs /sys/kernel/debug
3.ubiattach -m 1 -d 1
4.ubimkvol /dev/ubi1 -m -N ubi_test
5.mkdir -p /mnt/ubifs
6.mount -t ubifs /dev/ubi1_0 /mnt/ubifs
7.echo 3 > /proc/sys/vm/drop_caches
8.echo > /sys/kernel/debug/ubifs/ubi1_0/dump_tnc  

[  405.452729] UBIFS error (ubi1:0 pid 1): ubifs_assert_failed: UBIFS assert failed: zr, in fs/ubifs/tnc_misc.c:36
[  405.454461] UBIFS warning (ubi1:0 pid 1): ubifs_ro_mode.part.0: switched to read-only mode, error -22
[  405.456056] CPU: 1 UID: 0 PID: 1 Comm: bash Not tainted 6.13.0-rc4 #1
[  405.457096] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202 opal:v7.0 PowerNV
[  405.458376] Call Trace:
[  405.458869] [c000000003607a70] [c00000000101a164] dump_stack_lvl+0x88/0xc4 (unreliable)
[  405.460174] [c000000003607aa0] [c0000000007938e8] ubifs_ro_mode.part.0+0x58/0x70
[  405.461034] [c000000003607b00] [c0000000007bef40] ubifs_assert_failed+0x60/0x90
[  405.461849] [c000000003607b70] [c0000000007bbce0] ubifs_tnc_levelorder_next+0x440/0x580
[  405.462723] [c000000003607be0] [c0000000007c3684] ubifs_dump_tnc+0x70/0x118
[  405.463508] [c000000003607c70] [c0000000007bfa38] dfs_file_write+0x1b8/0x2b0
[  405.464314] [c000000003607cc0] [c0000000007c8b40] full_proxy_write+0x80/0x120
[  405.465118] [c000000003607d10] [c0000000005d2240] vfs_write+0xe0/0x520
[  405.465880] [c000000003607dc0] [c0000000005d2878] ksys_write+0x88/0x150
[  405.466648] [c000000003607e10] [c00000000002daa4] system_call_exception+0x104/0x2b0
[  405.467494] [c000000003607e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec
[  405.468446] --- interrupt: 3000 at 0x7fff913b7014
[  405.469476] NIP:  00007fff913b7014 LR: 00007fff913b7014 CTR: 0000000000000000
[  405.470275] REGS: c000000003607e80 TRAP: 3000   Not tainted  (6.13.0-rc4)
[  405.471105] MSR:  900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 44242402  XER: 00000000
[  405.472632] IRQMASK: 0
[  405.472632] GPR00: 0000000000000004 00007fffe2bc87a0 00007fff914d7000 0000000000000001
[  405.472632] GPR04: 0000000128abc3c0 0000000000000001 0000000104b5ac10 0000000104b58f88
[  405.472632] GPR08: 0000000000000001 0000000000000000 0000000000000000 0000000000000000
[  405.472632] GPR12: 0000000000000000 00007fff915faf00 0000000104b039a0 0000000104b5a6f8
[  405.472632] GPR16: 0000000128abbb50 0000000104a3f4b0 0000000104b5a748 0000000104b58da0
[  405.472632] GPR20: 0000000104b590b0 0000000000000000 00007fff914d17a0 0000000000000001
[  405.472632] GPR24: 0000000000000000 0000000000000000 0000000000000000 00007fff914ce3e0
[  405.472632] GPR28: 0000000000000001 00007fff914d17a0 0000000128abc3c0 0000000000000001
[  405.480183] NIP [00007fff913b7014] 0x7fff913b7014
[  405.480764] LR [00007fff913b7014] 0x7fff913b7014
[  405.481353] --- interrupt: 3000
[  405.482442] Kernel attempted to read user page (30) - exploit attempt? (uid: 0)
[  405.483630] BUG: Kernel NULL pointer dereference on read at 0x00000030
[  405.484397] Faulting instruction address: 0xc0000000007c3688
[  405.485739] Oops: Kernel access of bad area, sig: 11 [#1]
[  405.486458] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
[  405.487662] Modules linked in: nandsim nand
[  405.488559] CPU: 1 UID: 0 PID: 1 Comm: bash Not tainted 6.13.0-rc4 #1
[  405.489294] Hardware name: IBM PowerNV (emulated by qemu) POWER9 0x4e1202 opal:v7.0 PowerNV
[  405.490183] NIP:  c0000000007c3688 LR: c0000000007c3684 CTR: 0000000000000000
[  405.490948] REGS: c000000003607940 TRAP: 0300   Not tainted  (6.13.0-rc4)
[  405.491695] MSR:  9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 24248204  XER: 20040006
[  405.492768] CFAR: c0000000007bbbb4 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0
[  405.492768] GPR00: c0000000007c3684 c000000003607be0 c0000000013e4f00 0000000000000000
[  405.492768] GPR04: c00000007be52d38 0000000000000001 c0000000028b0000 0000000000032064
[  405.492768] GPR08: c000000002162398 0000000000000000 0000000079d00000 0000000000008000
[  405.492768] GPR12: 0000000000000000 c0000000028b0000 0000000000000000 0000000000000000
[  405.492768] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  405.492768] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  405.492768] GPR24: 0000000000000000 0000000000000000 0000000000000000 c000000001293030
[  405.492768] GPR28: c000000003329000 c000000004191740 c000000003329000 0000000000000001
[  405.500571] NIP [c0000000007c3688] ubifs_dump_tnc+0x74/0x118
[  405.501223] LR [c0000000007c3684] ubifs_dump_tnc+0x70/0x118
[  405.501901] Call Trace:
[  405.502257] [c000000003607be0] [c0000000007c3684] ubifs_dump_tnc+0x70/0x118 (unreliable)
[  405.503167] [c000000003607c70] [c0000000007bfa38] dfs_file_write+0x1b8/0x2b0
[  405.503978] [c000000003607cc0] [c0000000007c8b40] full_proxy_write+0x80/0x120
[  405.504781] [c000000003607d10] [c0000000005d2240] vfs_write+0xe0/0x520
[  405.505534] [c000000003607dc0] [c0000000005d2878] ksys_write+0x88/0x150
[  405.506291] [c000000003607e10] [c00000000002daa4] system_call_exception+0x104/0x2b0
[  405.507138] [c000000003607e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec